Quick

@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

Rooted!

Props to @MrR3boot

Oh, and the wonderful @TazWake for the nudge again. Always dropping those useful hints!

Rooted!!
Great box!

I have access to the login creds and t******.php, but I need help with my payload. I can get commands to execute (from what I can tell), but I can’t get anything useful to run successfully.

Edit: nvm I figured it out.

@TazWake said:
@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

@chonmayo said:

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

Sadly, I cant think of any way to say more without it getting removed as a spoiler.

All I can say is you probably need to try more combinations. The information is on the site.

Finally rooted. This was quite a ride for me, but I’m happy I stuck with it. Here are my hints:

Foothold: The latest tech will save you.

User 1: If you can’t do it in one step, do it in three steps.

User 2: Writing can be so much more fun than reading.

Root: Once you find it, just try it out! Do NOT overcomplicate this last step or you’ll find yourself in a world of pain.

PM for nuggets.

Whew, user finally pwned… so many new techniques and ways to try harder.

Awesome box so far! On to root…

edit: User2 pwned, awesome privesc method :slight_smile:

edit: rooted!

Finally got user flag ! The foothold was quite frustrating!
I’m trying to spawn the reverse shell but I’m stuck! A nudge would be very welcome :slight_smile:
Now I am trying to decrypt a hash, the password doesn’t seems in rock***.
Edit: Rooted PM me for nudges

Type your comment> @chonmayo said:

@TazWake said:
@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

I had to try about 20k combinations before getting it, for what it’s worth

Would someone mind taking a look at my e-mail creating script and help point me to what I’m doing wrong?

EDIT: Got it, thanks to the nudge from @jhnhnck. On to user!

Anyone got any tips for root? I am just absolutely clueless as for what to do here, which is weird because according to everyone else this is the easiest part…

Okay my tip is KISS

I don’t know why but yesterday I could get the user, and today I can’t find any new tickets created, the search always returns 200 empty responses, after posting a new correct ticket, the box has been reset two times… bored

Type your comment> @k30j1 said:

I don’t know why but yesterday I could get the user, and today I can’t find any new tickets created, the search always returns 200 empty responses, after posting a new correct ticket, the box has been reset two times… bored

are you using the right url? one of them tends to not return anything for that request.

Type your comment> @user29 said:

are you using the right url? one of them tends to not return anything for that request.

■■■■, you saved my mind, i feel so stupid x) Thanks man !

Edit : Rooted !

Thanks again user29 and @nicoswd too :slight_smile:

Feel free to pm me for help !

Type your comment> @k30j1 said:

Type your comment> @user29 said:

are you using the right url? one of them tends to not return anything for that request.

■■■■, you saved my mind, i feel so stupid x) Thanks man !

Glad I could help! There were a lot of moments like that for me with this box.

The http and the https ports are closed, even after reset…WTF?

@Dzsanosz They are not open on this machine.

Just completed. Nice box for a rainy Sunday afternoon.
Overall logic seems to be similar to other machines of the author (or its perhaps just a subjective impression of main). I would give it a decent 30 points rather than 40 but its again only my evaluation.

My three cents:

Initial Foothold:
Everything has already been written, including required tooling so I can only confirm that it was the most painful part.

User1:
Evaluate the app, do some googling after evaluating the traffic. There are some nice articles on Internet. Split whats complicated into parts.

User2:
See what else is running on the box. Read some code. Get access. If you cannot break what you need (or it requires to much work) then perhaps just change it. Simple scripting and you are there (you can reuse your tooling from initial foothold).

Root:
Stay where you are. Basic enum and do not be shy, just get in.

The box was quite enjoyable.